Overview

overview

10

Static

static

7

1310121612...52.exe

windows7-x64

10

1310121612...52.exe

windows10-2004-x64

10

$PLUGINSDI...el.dll

windows7-x64

7

$PLUGINSDI...el.dll

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$_63_/PowerRun64.exe

windows7-x64

4

$_63_/PowerRun64.exe

windows10-2004-x64

3

$_63_/SetACL64.exe

windows7-x64

1

$_63_/SetACL64.exe

windows10-2004-x64

1

$_63_/acxx...gr.exe

windows7-x64

3

$_63_/acxx...gr.exe

windows10-2004-x64

3

$_63_/bn.bat

windows7-x64

1

$_63_/bn.bat

windows10-2004-x64

1

$_63_/bn1.bat

windows7-x64

10

$_63_/bn1.bat

windows10-2004-x64

10

$_63_/bnn.bat

windows7-x64

1

$_63_/bnn.bat

windows10-2004-x64

1

$_63_/bnoo1.bat

windows7-x64

10

$_63_/bnoo1.bat

windows10-2004-x64

10

$_63_/bnz.bat

windows7-x64

1

$_63_/bnz.bat

windows10-2004-x64

1

$_63_/dotN...up.exe

windows7-x64

7

$_63_/dotN...up.exe

windows10-2004-x64

7

$_63_/dotN...up.exe

windows7-x64

7

$_63_/dotN...up.exe

windows10-2004-x64

7

$_63_/win_...rp.exe

windows7-x64

3

$_63_/win_...rp.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 02:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    $_63_/PowerRun64.exe

  • Size

    923KB

  • MD5

    efe5769e37ba37cf4607cb9918639932

  • SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

  • SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

  • SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

  • SSDEEP

    24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /P:131624
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
        "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /P:131624
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
        • C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
          "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /P:131624
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2488
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241205020900.log C:\Windows\Logs\CBS\CbsPersist_20241205020900.cab
    1⤵
    • Drops file in Windows directory
    PID:1276

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.ini
          Filesize

          3KB

          MD5

          4e883b62ef49f9f40a6e6ad51bc8c46b

          SHA1

          44a7a10d92ab4b2f80ad64300d74498c8e5bfa3e

          SHA256

          058f918262ad39652ca9e1d4fdcc454395bfe2bf21d5869ece80846db23d1ce3

          SHA512

          f3adbfe82d7e00ea688be2725b4927c03c12821fb8fb7607630fd8f2fab3bc2806ec6a7c626ce5cc6361e3859b4562eae9180f1f2f0ba2fa6c8ae791a7715480

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rkxrpuf
          Filesize

          81KB

          MD5

          940b1915cadee0e2b33d80799816f6c7

          SHA1

          2c10e4fec3e8c054055d1ed78757117575f273f2

          SHA256

          81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

          SHA512

          cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

          Download Submit

        • C:\Windows\Temp\aut472E.tmp
          Filesize

          25KB

          MD5

          436c1bb98deeccecb73fad945f1dd3dc

          SHA1

          774313ba911945589971bbc73498d81f060dabe6

          SHA256

          05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

          SHA512

          66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

          Download Submit